[EXTERNAL] [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup

Jerin Jacob jerinj at marvell.com
Mon Jun 8 17:37:45 CEST 2026

Previous message (by thread): [EXTERNAL] [PATCH] net/octeontx: fix buffer overflow in device name formatting
Next message (by thread): [PATCH] eal: fix core_index for non-EAL registered threads
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Applied to dpdk-next-net-mrvl/for-main. Thanks

________________________________
From: Sergei Iashin <yashin.sergey at gmail.com>
Sent: Tuesday, April 7, 2026 5:00 PM
To: Harman Kalra <hkalra at marvell.com>; Santosh Shukla <santosh.shukla at caviumnetworks.com>; Jerin Jacob <jerinj at marvell.com>
Cc: dev at dpdk.org <dev at dpdk.org>; stable at dpdk.org <stable at dpdk.org>; jerin.jacob at caviumnetworks.com <jerin.jacob at caviumnetworks.com>; Sergei Iashin <yashin.sergey at gmail.com>
Subject: [EXTERNAL] [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup

In octeontx_pko_dq_range_lookup(), the inner while loop evaluates the array access ctl->dq_map[dq]. chanid before the bounds check dq < RTE_DIM(ctl->dq_map). When dq is incremented to 256 inside the loop, the next iteration reads one
ZjQcmQRYFpfptBannerStart
Prioritize security for external emails:
Confirm sender and content safety before clicking links or opening attachments
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/CRVmXkqW!tm3Z1f8UYnVa9O-cmb1abtPB-IORJwK3Jr3VXVds937zvL1Te5uABuIyTLhBPe1u0lFyd2PYF2MzgfBRj9IabE7Hc6ItR791qHo$>
Report Suspicious

ZjQcmQRYFpfptBannerEnd

In octeontx_pko_dq_range_lookup(), the inner while loop evaluates the
array access ctl->dq_map[dq].chanid before the bounds check
dq < RTE_DIM(ctl->dq_map). When dq is incremented to 256 inside the
loop, the next iteration reads one element past the end of the
256-element dq_map array before the bounds condition can short-circuit.

Swap the two conjuncts so the bounds check is evaluated first, matching
the pattern already used in the outer loop.

Fixes: cad78ca23818 ("net/octeontx/base: add base PKO operations")
Cc: jerin.jacob at caviumnetworks.com
Cc: stable at dpdk.org

Signed-off-by: Sergei Iashin <yashin.sergey at gmail.com>
---
 drivers/net/octeontx/base/octeontx_pkovf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/octeontx/base/octeontx_pkovf.c b/drivers/net/octeontx/base/octeontx_pkovf.c
index 7aec84a813..5326fe24b9 100644
--- a/drivers/net/octeontx/base/octeontx_pkovf.c
+++ b/drivers/net/octeontx/base/octeontx_pkovf.c
@@ -196,8 +196,8 @@ octeontx_pko_dq_range_lookup(struct octeontx_pko_vf_ctl_s *ctl, uint64_t chanid,
        while (dq < RTE_DIM(ctl->dq_map)) {
                dq_base = dq;
                dq_cnt = 0;
-               while (ctl->dq_map[dq].chanid == ~chanid &&
-                       dq < RTE_DIM(ctl->dq_map)) {
+               while (dq < RTE_DIM(ctl->dq_map) &&
+                       ctl->dq_map[dq].chanid == ~chanid) {
                        dq_cnt++;
                        if (dq_cnt == dq_num)
                                return dq_base;
--
2.39.5

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20260608/3428503b/attachment.htm>

Previous message (by thread): [EXTERNAL] [PATCH] net/octeontx: fix buffer overflow in device name formatting
Next message (by thread): [PATCH] eal: fix core_index for non-EAL registered threads
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list